[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis document provides instructions on how to collect AWS S3 server access logs and ingest them into Google SecOps via Amazon S3 or Amazon SQS.\u003c/p\u003e\n"],["\u003cp\u003eThe setup involves configuring AWS S3 server access logging and setting up a Google SecOps feed to collect and parse the logs.\u003c/p\u003e\n"],["\u003cp\u003eThe parser extracts data from logs, handles JSON input, and maps fields to the UDM (Unified Data Model), including data transformations and type conversions.\u003c/p\u003e\n"],["\u003cp\u003eSpecific steps include enabling server access logging in AWS, creating an SQS queue for the S3 bucket, and configuring the Google SecOps feed with the necessary AWS credentials and details.\u003c/p\u003e\n"],["\u003cp\u003eThe document includes a UDM mapping table that outlines how raw log fields are mapped to specific UDM fields, complete with logic for each mapping and information about the parser logic.\u003c/p\u003e\n"]]],[],null,["# Collect AWS S3 server access logs\n=================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect AWS S3 server access logs by setting up a Google Security Operations feed. The parser extracts fields using grok patterns, handles potential JSON input, and maps the extracted fields to the UDM. It performs data transformations, type conversions, and conditional logic based on the presence and values of specific fields to ensure accurate UDM representation.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nHow to configure AWS S3 server access logging\n---------------------------------------------\n\nGoogle SecOps supports log collection using Amazon S3 through Amazon SQS.\n\n1. Sign in to the **AWS Management** console.\n2. Access the Amazon S3 console.\n3. Go to **Amazon S3 \\\u003e Buckets**.\n4. Select an existing bucket or create a new one.\n5. Click **Properties**.\n6. In the **Server access logging** section, click **Edit**.\n7. Select **Enable**.\n8. In the **Target bucket** field, enter a name for the new bucket to send the log record objects to or select an existing bucket as the target.\n\n| **Note:** Your target bucket cannot have server access logging enabled. You can deliver logs to any bucket you own in the same region as the source bucket. However, it is not recommended to use the original source bucket.\n\n1. Click **Save changes**.\n2. To create the SQS queue for the S3 bucket, configure an Amazon SQS instance with the S3 storage. For more information, see [Configuring a bucket for notifications (SNS topic or SQS queue)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html).\n\n| **Note:** IAM user and KMS key policies are required for Amazon S3, AWS KMS, and Amazon SQS.\n| **Note:** For more information, see [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html).\n\nBased on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:\n\n- For information about any logging source, see [AWS Identity and Access Management endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/iam-service.html).\n- For information about S3 logging sources, see [Amazon Simple Storage Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/s3.html).\n- For information about SQS logging sources, see [Amazon Simple Queue Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sqs-service.html).\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS S3 Service Access feed\n--------------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS S3 Service Access** log type.\n3. Google SecOps supports log collection using an access key ID and secret method. To create the access key ID and secret, see [Configure tool authentication with AWS](https://docs.aws.amazon.com/powershell/latest/userguide/creds-idc.html).\n4. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n5. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]